Library does not correctly handle app process termination (activity re-creation) within authorize roundtrip

[dolly22]

Issue

Related to issues #600, #672 and PR #743

TL;DR Library holds some references in instance variables in RNAppAuthModule. When app process restarts (is stopped in background) when custom browser tab is displayed those instance variables are lost when new process is created. It always results in failed authorization, but sometimes application also crashes when accessing those uninitialized instance variables.

How to reproduce

1. Start authentication within your application
2. When custom browser tab is displayed kill application with adb shell am kill com.app (browser tab stays visible)
3. Finish authentication within browser tab

After authentication roundtrip if finished application process cold starts. There might be two outcomes depending if authorization Activity is correctly resumed or not. But both effectively result in failed authorization.

• Usually application just starts in it's initial state because activity was not resumed (caused by react native bug https://github.com/facebook/react-native/issues/30277)
• Application crashes with some null reference exception when activity resumes correctly

Details

If mentioned react native bug is worked around with some method like this and all Activity results are delivered to application the outcome changes and application crash is now deterministic on null reference exceptions.

There is also more discussion about this react native bug, and also some other library approaches - https://github.com/react-native-image-picker/react-native-image-picker/issues/1502

Possible fix discussion

To my understanding this will not be possible to correctly support authorization continuation after cold start without somewhat changing library api surface. There are multiple issues here.

Deliver activities from last session to javascript

We need another way how to deliver resumed startup activity results (RNAppAuthModule/onActivityResult) to javascript code as original authorize() Promise is already long lost and javascript was started from scratch after new application process was created.

I currently do use something like this in my workaround to deliver authorize results to application if no authorize() promise is available...

export function subscribeAuthorizeResultCallback(callback: (error?: Error, data?: AuthorizeResult) => void): Promise<void>

Flow contextual information to onActivityResult

There is no easy way how to flow contextual information from RNAppAuthModule/authorize to RNAppAuthModule/onActivityResult in case of process restart. It seems AppAuth-android library currently does not support flowing any custom information through result Intent.

Some values might be read from AuthorizationResponse.request that is available, but there are still some others like clientSecret, dangerouslyAllowInsecureHttpRequests that we need there.

[AntonL-tech]

Any updates on this one?

[carbonrobot]

While we monitor the upstream issue in React Native core, which has been open for several years, we are exploring secure alternatives.